Risky Business Risky Biz Soap Box: How to measure vulnerability reachability
Aug 14, 2025
Feross Aboukhadijeh, the founder and CEO of Socket, dives into the complexities of software supply chain security. He discusses how to measure the reachability of vulnerabilities in applications, emphasizing the importance of knowing whether a CVE actually impacts your project. Feross shares insights on the evolution of Socket from tracking malicious packages to tackling CVEs. He also highlights challenges in navigating legacy applications and the critical need for effective detection of malicious packages, advocating for a nuanced approach to software security.
AI Snips
Chapters
Transcript
Episode notes
Reachability Explains Real Risk
- Vulnerability scanners report components with CVEs but not whether those CVEs are actually exploitable in your app.
- Reachability asks if an external attacker can follow a path through your code to trigger the vulnerable function.
Static Analysis Hits The Halting Barrier
- Static reachability is fundamentally hard because you can't predict all runtime behavior without executing code.
- Practical tools must use heuristics and cutoffs to avoid nonterminating analysis and excessive CPU use.
Always Analyze The Full Dependency Tree
- Analyze full dependency trees rather than only top-level modules to understand real exposure.
- Avoid tools that skip transitive dependencies or monorepos because those blind you to deep reachable CVEs.